Date: 25 January 2024
Presenter: Zed Vladimir. Zed is a freelance IT and blockchain professional. He is an experienced Bitcoin trader with a background in the computer and network security industries. He has spent a number of years on cryptocurrencies and related systems, system administration, IT networks and security operations. Zed also hosts the Bitcoin Monthly meetups in Wellington.
Webinar Length: 1:13:39
There has been an increase in interest in businesses holding assets like bitcoin in treasury. Doing this safely is not always intuitive. With the recent demise of Dasset locally and the importance of “not your keys, not your coins”, more are looking into the requirements and models for self-custody for businesses in New Zealand. Zed will discuss options including multi-sig and federated approaches to custodying digital assets as both a business and an individual.
- [00:00:00] Introduction
- [00:01:37] Topic Introduction
- [00:05:06] Topic Overview
- [00:07:57] Basics of Self-custody
- [00:11:04] Centralised vs Decentralised
- [00:18:47] How to choose the right wallet?
- [00:30:19] Examples of Wallets
- [00:37:52] Password Hygiene
- [00:44:04] Offline backup and recovery
- [00:48:44] Phishing and malware prevention
- [00:53:01] Self-custody for Business
- [01:00:01] Challenges unique to business
- [01:04:38] Inheritance Planning
- [01:08:37] Conclusion
- [01:12:12] Wellington Bitcoin meetups
Kevin: All right, so kia ora everybody welcome to today's session. So we're doing best practice for self custodying digital assets for individuals and businesses. And today we have Zed joining us. I'll let Zed introduce himself shortly. Just very quickly, we have a bit of housekeeping. So yeah, if you want to ask a question, please pop it in the chat and we'll surface it.
I think today's a small group start of the year, so that's, that's all good. So we'll probably make it a little bit more interactive. So Zed and I were just talking about pausing at the end of each section that he's going to run through, and we can ask some questions from there. So the session is being recorded.
And we will do a short survey at the end of the session just to get your feedback firstly on this session, but also to understand if there's any other topics that you'd like us to stand up. And we'll go from there. So I will hand it over to Zed.
Zed: Yes. Hello everyone.
My name is Zed. I'm originally from Czech Republic, now living in Wellington, where I also do local Bitcoin meetup. I have been in Bitcoin and crypto space for, I think a little bit over a decade now, so quite a while, and I kind of specialize a little bit in security and self custody and best practices, especially for new people, because it's one of the very important topics when you have people just entering the industry and learning how to do this and how to store their assets.
[00:01:37] Topic Introduction
Zed: So today we're going to go through this topics short introduction and topic overview, a little bit of basics of self custody, what it is. And what should we do, how to choose the right wallet, securing the digital assets, that's a little bit more about password hygiene and the basics of security of your systems, and self custody for business, and then a little bit about inheritance, because that is also part of self custody.
After each of these sessions, there's going to be time for questions and answers if you have any questions related to the section. So let's get to it.
Zed: So why do we even talk about self custody? This is the big question and I guess a lot of you have been in the space for a while and seen what's happening there.
So it's quite common that exchanges and custodial services get hacked or liquidated. There is a story after story. We don't have to get too far, just in New Zealand, one of the biggest hacks and thefts to date was Cryptopia in 2018, where almost 23 million New Zealand dollars got stolen. And apparently it's the biggest theft in New Zealand's history so far.
And then year 2022 was just completely plagued by all of this. Now, we just saw business after business falling down and the contagion spreading through industry and wiping out billions of assets, usually of people at the end of the line. It was a very tough year for everyone, and now more recently, just last year, not a couple of months ago, we had this Dasset exchange here in New Zealand, also getting into liquidation and taking with them 6. 3 million dollars. We will see whether this money will ever get back to the people or not. So, this is obviously a big problem, and this is also the reason why we are here today to talk a little bit about this. Because me being in space for a long time, if I would have my coins on exchanges, I would certainly lose quite a big chunk of it, because over this last 10 years, every year this is just happening.
This is a recurring story again and again. So one thing to keep in mind is there is slightly different risk profile when we talk from custodial exchanges to self custody. And that is, as I mentioned down here is that if you keep your coins in Exchange or custodial service, most likely your risk is theft or hack, insider job, potentially the liquidation of the company, which is reasonable risk, quite big as we see, but while you are actually holding the coins yourself, the highest risk is yourself, is the you not being able to take care of your private keys and storing it somehow inappropriately and losing them in a way.
So those are really two. Big differences because it's quite unlikely that you would get hacked and someone's going to come after your coins unless you are a high profile person and you're actually showing up that you have a lot of wealth, but more often than not, you will be the one who's going to lose your coins and do some mistakes on the way.
[00:05:06] Topic Overview
Zed: So that was just short introduction, and this is the five bigger sections. We're going to go through it, and I just put a couple of bullet points to see what we talk about. And after each of this section, if you have any questions, just raise the hand there or jump in and let us know. So basic of self custody, we will talk a little bit about centralization versus decentralization. What is the difference? Most of you will. Probably no, but it's good to just go over it to have this clear and what are the benefits and challenges of self custody? I mean, this is why we are here today to talk about this.
Then wallet options. What are the types of wallets? What are the security features the wallets have? This is going to be mostly a little bit more advanced security features. Like what can you do to top up your security over than just basic setup. And a couple of examples of wallets just to see what is out there.
And then the slightly less exciting section of security measures, which is the password hygiene, online backups and recovery, and phishing and malware prevention. This is not, not related to self custody directly, but it is very important nonetheless, because if you want to store your money on your computer, on your devices, and you have malware on it, or you use wrong password, the chances are very high that you're going to lose this money. So even though it is not exciting talk, we still have to go over it.
And then we have little bit of Bitcoin for businesses. So why would business actually want to self custody Bitcoin? And when I say say Bitcoin, I also mean other digital assets. I mean, I myself, I'm more in the Bitcoin space, but this basically apply to majority of digital assets because the way how coins and assets are stored is very similar. But especially for business, I thought more that the Bitcoin would likely be the choice for the treasuries or for business to use as it's just by the share numbers and it's the biggest one in the space. So there is a little bit of best practice for business and unique challenges for business.
And then lastly, there's going to be just brief section for inheritance because it is a part of self custody. When you self custody your coins and you parish you if something happened to you. This coins are still locked in your setup and unless you actually explain someone what to do with them, they're gonna be there stuck forever. And you can just consider donation to the network, which is probably not something you would like to do. So we go briefly over it.
[00:07:57] Basics of Self-custody
Zed: And now let's just open to this first section, basics of self custody.
So how I like to think about self custody is this asset value approach, because I think it is quite a sober and reasonable way how people can actually think about their security of their money. If you, for example, I have 50 dollars worth of digital assets. You don't need to be overly complicated about your setup.
You don't need to create multi signature vault and try to start this money in and go straight into the deep end because most likely you would just get scared out of the complexity of the setup and that would discourage you to actually store money in digital assets and save in the first place.
So if you just have a little bit of money in it. You can have, you can store it anywhere, anyhow you like, you can have a paper wallet, even though it is unsecure and not the best practice, you can have it on your phone. But as you are basically growing your portfolio, you should also grow your knowledge and keep these two things simultaneously evolving.
So when you have more than a couple of hundred dollars, you probably don't want to store it in a paper wallet anymore. You probably want at least a hot wallet with your own private keys and your own seed backups somewhere. It doesn't have to be, it still can be custodial. Those money wouldn't significantly hurt you if you lose them.
But as when you get a bit higher, when you start having thousands, you certainly would want to change your setup into cold hardware wallet. This is the next step in your security. And those are physical hardware devices created with sole purpose to Interact with your private keys and keep them safe offline.
So basically this interaction and signing process and creating of keys should never leave this device. And this is why we call it called hardware, because it's basically offline, all these operations. And then if you go a bit even higher and you have a decent amount of money in your digital assets, it can be your savings, it can be pension funds or something, company assets.
This is the time when you would start thinking about more advanced setup, which is usually multi signature. And that involves multiple different devices, which needs to be present in order to sign transaction and move this money out. So basically you can have this money in one vault, you could call it, but you may need multiple people to have to sign with their devices in order to move money out. So that is quite good set up for companies, for inheritance, for funds, for anyone who actually wants to distribute the trust a little bit more than just for a single person.
[00:11:04] Centralised vs Decentralised
Zed: And now, a little bit about the centralised versus decentralised systems. This is also well known. It's being talked about in the space all the time, but just to have a little bit of understanding, what is it actually?
So centralised systems, and it can be wallet, it can be exchange, it can be service provider, is the one when, where there is someone who is In control of your assets, private keys, we also call the services custodial. So there is a custodial who is taking care of your keys, meaning that someone else have to sign the transaction in order to, for money to move. Someone else can have to review your transactions and basically they can blacklist the transactions if they need to, they can stop the transactions if they need to, if the government asks them and such. So you are not completely fully in your assets,
As opposed to the centralised systems, which is the system which directly is connected to blockchain and directly communicate with blockchain. And you are the one who owns the private keys. Also, we call it non custodial. This meaning that no one can basically stop any transactions you do, because as soon as you sign, this transaction gets sent directly to blockchain and propagated through network. So there is no one actually between you and the network. You can send to whoever you want, you can receive from whoever you want, and there is no one being able to stop the transactions.
Both of these systems have some benefits and challenges, as it is always in life. There is some. Balance. And so centralised systems are usually easy to use. They remove the complexity from having to deal with all the technicalities of the backend. And also big one, I think for many people, there is usually available support. You know, we live in this society and we kind of rely on support being always at hand. Somewhere there's a small chat button on the corner of someone ready to help you if you have any issues. So this is what the centralised systems quite often offer. And I think it is very good for many people. People like to have the support available, especially when they are dealing with technical complex systems they don't understand fully. But of course with this comes the challenges and one of the biggest one is that money in this systems tends to accumulate because there is a lot of users and a lot of customers and this basically creates big pile of money, which we in IT call honeypot. And this just makes it very attractive for hackers and malicious individuals to try to attack such systems. And I guess this is the big issue because no matter how. Well, you try to protect your systems, the more money is there, the players are going to be more sophisticated and it really becomes very difficult to make sure that you are safe from all possible aspects.
It can be a malicious employee even set up to infiltrate your company and steal the funds. We saw it all. And also another challenges of centralised systems is regulatory change, know your customer, blacklisting. You have to usually submit all your details and all your data in order to use the services. And of course, this is not great for privacy at all.
And on opposed to this, in our decentralised systems, you have control of your transactions fully. You have control over your security. It's unclassified. unconfiscatable and you reach better privacy, but the problem is that you are fully responsible for this funds, which most people are not ready to do, to be honest.
I mean, us in Bitcoin space, we learn, and this is something what we are here for. We love to have the full control and custody, but frankly, there is a huge amount of people around the globe who are just not there to take full control and full responsibility for their own money. And the challenge of the decentralised systems is that the main problem is if you lose your keys, if you lose your private seat or your wallets and you do backup wrongly, then the money and the coins are gone and no one can recover it, which can be quite daunting for many people.
So it does require a little bit more technical understanding, not much, it is not very difficult, but it does require some technical understanding. And of course the issue is there is no support, there is, you can, you can go and probably find people on Twitter, which will be very happy to give you a lot of opinions about what's your problem, but it is not that you can just click the button and have a support dedicated for your wallet or for your cause. And so it is a bit more challenging when you come to the decentralised systems.
So that was just briefly the overview of what is self custody. What does it mean? If you want to ask any questions regarding this, feel free.
Jim: Is there a definition of self custody? By that, I mean where your keys are and that you're the only one that has access to your keys and no one else does. And the keys aren't split and shared across the internet, that sort of thing.
Zed: Yeah, I think, I'm not sure if there is a exact definition, but I think you kind of said it quite well. If you are in full control of your keys, that is something I would call self custody, but I wouldn't exclude the option where you actually split the keys willingly and have multiple parties having them in order to sell, to sign transaction. I think it is still self custody, but you would say maybe like federated self custody or something like that.
Kevin: Definitely a spectrum, isn't it? And I think that's something that's evolving at the moment. I think the BitKey release later this year will be interesting as well, because to your point, Jim, I think it's the mixture, what, what mixture constitutes self versus custodial kind of where's that switch. But I think those, those definitions are evolving.
Jim: There are some solutions where you only get half the key. So you are reliant upon the other party and if something happens to them, then did you ever have self custody?
Zed: Yeah, I don't think that would be good solution. I think there are solutions where you have multiple keys but you kind of mitigate the risk that if one part is gone, the whole setup is compromised. There is, for example, a Shamir key setup, which allows you to create multiple seats. And it's kind of like multi signature seat setup. So you can say, I will have three seats and two of these seats can recover my wallet. So it is something slightly different than multi sig because you don't need to actually sign for a transaction, but you need the seats to recreate and recover the wallet, and that's a good setup, but if you would have two out of two keys and one get lost, then yeah, that I would also question whether it was self custody at all, or it. It will be certainly quite dangerous, no?
[00:18:47] How to choose the right wallet?
Zed: So should we carry on and check this, how to choose the right wallet? So there is a little bit of overview what I put together for basic choices of wallets. I think this paper wallet here was more like just to let everybody know that they exist, but it's not like I would I would encourage people to use them other than having them as a gift cards, but it's still good to mention the options.
So one of the probably most used wallets are hot wallets. And those are the wallets which are actively or frequently connected to internet. Those will be your smartphone wallets or desktop wallets on your PC or your Apple. And the benefit of those is that you can access them fast. Having a wallet on your smartphone is a really convenient way how to accept and send payments and they are great for smaller amounts of money or to have pocket money for paying or paying to your friends or taking it with you when you go to meet up to present other people, how you actually do trans, send transactions, but they are certainly not good option for long term storage.
For that, we have here the second type, which are cold wallets and they are called cold because basically they should not be connected to internet and they should be stored in cold somewhere away. And those are usually dedicated hardware devices which plug in to USB or Bluetooth and their sole purpose is to get all the complexity of dealing with the keys and signing transactions inside this hardware device without having to touch the internet.
So the device itself will initiate the creation of the key and when you need to use and sign the transaction, you will plug the device again and sign it through the device. There is a lot of different models, a lot of different companies these days, but generally the security of such devices is way, way higher than the hot wallets.
You still need to deal with the factors like having to back up your private key, which it will give you when you set it up, but I think they are great devices for long term storage and for money, you don't actually need to carry with you in your hot wallet, and everybody who is in the space should use one. The differences between each model are minuscule, but the main, main purpose is the security of it's really way higher.
And then what I just wanted to mention briefly here at the end is the open source versus closed source wallet. You also tend to hear about it, not so much these days, but there was a time when this debate was quite lively and heated. And what does it mean actually, open and closed source? It is the way how the developer of the wallet, so basically company or whoever is writing the code for the wallet, how they decide to disclose or not disclose the underlying code. So open source means that basically the code is somewhere in public domain and you can go and read it yourself. It is good because you don't actually know what is happening under underlying in the, in the wallet. And if you cannot read the source code, how do you know that there is not a malicious piece of software actually monitoring your transactions? Or even how do you know that the private keys never actually leave the wallet and they are still just there?
So open source I think standard for wallets is very important and I wouldn't personally use wallet which is closed source for my savings. Even the hardware wallets it's not that I am able to read the code myself, but I kind of have more trust in the fact that community can double check it and read it. And. Yeah, I think it's just too dangerous. Even with hardware wallets, the malicious firmware can steal your money. And if you cannot read the source code of the wallet, how do you know that it's not there? I mean, of course, a company wouldn't want to destroy their reputation, but how far this goes, when Bitcoin is worth a lot of money, maybe the company will prefer to steal your money and run somewhere nice than, you know, be selling small devices.
So this is something to keep in mind, and I think it's good to have open source wallets, especially for your cold storage, for your bigger savings. So that is just a few features wallets offer, you know, there can be a plethora of things. Each wallet is slightly different and there is a lot of security features going from DurasPay, Blind Signatures, but this is kind of three big ones. So I picked them up for this session.
So Seed Backup. Basically Seed almost equals your private key. It's not exactly the private key, but seed is the string of English letters. You usually get, when you create your wallet, it is, it is the human readable manifestation of private key. It's it runs through the certain function. The private key itself would be very long and hard to read, hard to replicate, hard to back up. string of random letters and numbers. So, in order for us to actually be able to deal with this a bit more in a human way, we got the way that it gets translated to this 12 or 24 English words. And that's what is called your wallet seed. And that is what is very important for you because, basically, you have to back it up. This gives anybody full access to your wallet. So it is a great, great step up in backing up technology because you can just write down this 24 words and store it somewhere safely.
And in case your wallet breaks down, your phone breaks down, you can recover all your funds. Which is very convenient and it's great, but you have to think about how you are storing this information. Because basically if someone else is going to get access to it, they can recover your wallet and take all your funds.
So it kind of improves the life of people who hold in their self custody, but also it makes it more difficult because now you have this other thing you have to deal with and you have to store and save. But unfortunately, that's the trade off.
So second feature I quite like, it's called passphrase, and it is not offered in all wallets, I know that Trezor has it, but basically what does it do, you can set up passphrase and it creates this hidden vault wallet inside your wallet. And it is tied to that passphrase. So for example, if you have passphrase A, and when you log into your wallet and you type this passphrase A, it will create vault of your funds, just tied to this passphrase A. If someone else put passphrase B, it will create another vault. with which will be tied to this passphrase B. So it is really high security feature because if someone is trying to extort you and get into your wallet, they firstly don't know if you have passphrase, you can just turn the feature off. So it will not ask you in beginning and you still have it there. Or they don't know which passphrase actually corresponds to your real wallet.
You can have there three, four different, different passphrase wallets with different funds. So this actually is really high level of security and it mitigates a lot of different attack vectors, but unfortunately it have its pitfall as well, and that is that this passphrase now is really tied to the wallet where you have funds and you have to have it stored, stored and secured somewhere. So now it is not just your seat you have to have, but you also have to have your passphrase. But if you are able to do that, I think the level of increased level of security is very high.
And then the lastly, the multi signature, that's the most difficult, most advanced setup and most secure as well. That is, we already mentioned before, that is the one where you have multiple devices or multiple signees. It can be a seat signer, card, it can be hardware wallet, it can potentially be hot wallet. It can be federated custodial as a third party company. So there is a lot of options and basically, it really gives you much more peace of mind if you, for example, set up multisig where you need to have three people out of five being able to sign to have a transaction, this could be your whole family, and this could be your family saving, this could be some generational wealth you all putting together, and you know that this is not going to be touched unless whole family agrees that, okay, we need to use this funds for something.
It is really good, but because the multi signature is a bit more advanced. I wouldn't recommend anybody who is new in the space to just try to jump in, unless doing my multi signature setup as my first wallet. I think you kind of need a little bit more time to grow to understand how it is done properly, because there is a couple more technical things you need to do well in order to make sure that these funds are secure.
Kevin: Jim's just got a question about is the passphrase tied to a particular wallet provider or could you use it in any wallet?
Zed: So passphrase in technical way, how it works, I think it adds extra seed word into your seeds. So if you, for example, have 24 word seed, and then you use passphrase, this passphrase is going to be used as a 25th word. So when you have the wallet where you can recover the seed phrase and you have this ability to actually add the extra, you can recover the passphrase anywhere. So not all wallets have it, but I did it in the past, I think in Electrum that I just recovered the seed and they have you the option to have this extra words at the end and that will recover the passphrase wallet. So it is tied to actually blockchain and Bitcoin standard.
Jim: So the other thing on that is when you look on a blockchain scanner, you can normally see how much assets are in a wallet. Would it add up all of the different passphrased accounts into the one?
Zed: So I think it wouldn't because basically if you do wallet scanner you're probably using xpub which is the derivating all the public keys for the wallet but this will be using the wallet under the seat and private key which is basically now different from the one with passphrased. So I didn't test it. I cannot say a hundred percent this is how it works, but my assumption would be that you would only see the assets which are in the underlying private key in the wallet. But the passphrase is basically now different private key, different wallet.
[00:30:19] Examples of Wallets
Zed: So here we have couple just quickly couple of wallets to look through. So those are the hot wallets. Those are the popular hot wallets people use and I use as well. And so I just wanted to give a couple of examples. Blockstream green wallet is really nice for Bitcoin and Bitcoin related assets. It was and usually is one of the ones I recommend people who are newer to the space, but unfortunately these days with high Bitcoin fees on mainnet, it is kind of questionable whether you should still be getting people into main and net rather than lighting.
Then the MetaMask, I think is quite favorite wallet for people who use Ethereum. It is an add on on your browser and it makes it really convenient to work with your digital assets, NFTs other coins, because basically it is integrated to your browser. So anywhere you log in, where are Ethereum, Ethereum services, you just log in directly with your wallet. You have all your assets and your coins with you, and you can immediately trade or spend. I don't use it that much because I don't work much on Ethereum, but when I did, I really liked the convenience. It was actually very easy way how to interact with whole ecosystem.
Then Exodus, Exodus is a wallet, which is also hot, but you can have application, desktop or browser, they have a lot of options and it is good because it has plenty of assets. I think probably one of the, one of the wallets, which have the most assets of all. So if you are into getting a lot of different coins, which I wouldn't recommend anybody, but if you, if it's what you like Exodus is probably good wallet for you because you can have everything in one place. They are claiming that they are custodial self non custodial that you are owner of the keys, but I haven't actually tested it out because it's been a long time since I used Exodus and I would take it a little bit with a grain of sand whether you can have private keys from all the underlying coins or whether they just give you private keys from their wallet and then you have to use their wallet to recover. It's kind of hard to say.
And lastly, there is this wallet of Satoshi, which I quite like, it is custodial mobile wallet. So it is you don't have direct access to your keys. You have to trust them with your money, but it gives you very simple and easy access to Bitcoin's lighting network. And that is, that is very cool because Bitcoin's lighting network is very fast and convenient for small payments. But the technicality for setting one up yourself is quite challenging. It will be very hard to get someone on first meetup and try to show them some transactions and send them Bitcoin lightning transaction to set them properly. Their wallet, that would be probably beyond their understanding.
And here we have a couple of hardware wallets. They are all the well known options tested by the time, Trezor is actually the first ever hardware wallet, which was created in Czech Republic, and it was in 2014, they basically set up the standard for a lot of this, a lot of hardware wallets, and they created it. BIP39, which is how we now create the seed phrases. It's nice wallet. It doesn't have that many altcoins though. So I think for altcoin enthusiasts, they probably prefer Ledger, but I like Trezor because it has a lot of good security features. You have their access to coin control, so you can see all your different unspent transaction outputs, you can do timelock. So if you have some friends who always spend their Bitcoin, you can timelock their coins for a couple of years to make sure they will huddle and things like that.
Ledger is probably the most used hardware wallet. It has been around for quite a while as well. And I think it's popular because it offers a lot of different altcoins. There was a couple of issues they had lately, and so I wouldn't be sure if I would recommend it to everyone as their first wallet. I think Ledger is a closed source and it kind of also shows that this can be the issue because just recently there was a problem with some library in the bridge, which was communicating with the treasurer and it actually led to people losing their money
and Jade is a little bit newer wallet. It's made by Blockstream and it's also focused for only Bitcoin and Bitcoin related assets. So Bitcoin liquid and then assets on Bitcoin liquid network. What is nice on Jade is that it, it has Bluetooth. So for people who only work with their smartphones or tablets, for people who don't have laptops, this is good option to actually have hardware called storage wallet for their Bitcoin.
And then lastly, there is a cold card, which is something like a flagship in a Bitcoin community in terms of security of the assets. It is supposedly one of the most secure wallets on the market. It has plenty of security features. Even to the extent that you never actually connect it to internet at all, that you only sign transactions on the device and then you take SD card to plug it in your laptop and there you have the signed transaction which you propagate to the network. It can be a little bit daunting for people to go straight to coldcard, but on the other hand, I heard good reviews that people actually learn a lot about blockchain and Bitcoin and how all of it works from being able to set up this card. And when they set it up, it actually is quite simple to use. So yeah, for people who like to learn, this could be a good way how to get a little bit more exposure into what's actually happening underneath. All right, that was our wallet, wallet setup and wallet options. If you have any questions, go on.
Jim: Earlier on, you mentioned about a type of wallet that could have more than one seed phrase to recover the funds. If you've got a hot wallet, you've downloaded an app off the internet and it gives you your seed phrase, and you think you think self custodial, how do you know that it's not set up one of those wallets that's got another seed phrase where they can draw the money out?
Zed: So this is the multiple seed phrases I mentioned was in relation to that passphrase. So it is not like it would have multiple seed phrases in the wallet itself. It is that when you create a passphrase, it kind of extends the original private key, original seed with the passphrase to subdivide the different accounts.
But it doesn't mean that there is like completely different private key. Once the wallet generates the private key, this is basically the one which is there. So when you download hot wallet from the internet, and you set it up, this seed you have there is the only one which is initially initiated in the wallet. But then the question is, if it's the closed source wallet, maybe you don't know, you know, maybe you don't know what actually happens there. But if it's the open source, one of the wallets widely used, the seed you generate is the private key basically your wallet will use.
[00:37:52] Password Hygiene
Zed: This slightly less exciting session about what we should do in our daily lives? To not lose our assets. So of course we have to go through this password hygiene. So we all hear about it all the time, how we should have our secure passwords, which will contain random generated words or strings of letters and numbers.
It seems like completely unattainable goal, how we actually even do it. And it always puzzled me how we even got in here in the first place, I mean, we created internet where you need different password and different login details for every single page you visit. It is complete madness. And it's really kind of very difficult for a person to be secure in this environment because we just don't have the capacity to remember all of all the passwords or generate ones we which will be secure.
So as it always goes, you should not reuse your password. You should certainly not use password you use for your Google or Facebook or social media because those passwords quite likely are already somewhere on the internet to be shared or sold to highest bidder. If you never tried, I kind of suggest that you check this website, which is called Have I Been Pwned? And if you put in your email address, you use quite often, it will show you whether this email address is associated with one of the known data breaches or hacks. And you can even set up that they will basically send you a notification when they find out that your email has been compromised somewhere.
So this is kind of good to have a little bit of glimpse, whether this password you use for your daily Google mail have been already compromised or not. But for me, how to deal with this issue with strong password is only one way, and that is password manager. And it is, it adds a little bit of extra complexity in terms of you now have to piece of software or service you have to trust and use in for your passwords. But if you take it as a comparison to the fact that you would just reuse your password for everything, I think it's, it is much better option.
So password manager is basically either service you pay and they will tell you now we will generate passwords for you, and whenever you access website, we can just through browser add on, you can just input the password and log in, and that is quite good. Except that you have to trust the company which holds now your passwords. And I think it is probably fine, because these password manager companies have been quite growing, and there is quite a lot of them proven by the time. So I think you can find one which will do a great job. But for me, from my own learning, I just don't trust with my password and with my money, any other third party. So I like to use one of this keeper managers, like key pass, which is open source software. You just download to your computer. And it, all it is is basically encrypted the database, which have certain functions like generate random password. But it is very good, because once you learn to use it, and it takes a little bit of time, it is something new, suddenly you don't just go and write your one password in a website, you have to go to your password manager to get it, but you can generate random passwords of 40 50 characters to every single website from now on, and you will completely stop being vulnerable. To this type of attack that someone would not know your password. And even browsers lately, like Mozilla, Firefox and I guess the other big browsers like Google, they offer this option that they generate passwords for you. So when you actually are signing up for new service, they tell you you want to generate password.
And, in this way, they basically will have a vault inside of your computer where they will store these passwords. But I guess it is still better than if you would just reuse one password you do all the time. It's not the option I would choose. I still prefer to have the self encrypted key pass, but I think for many people, this is still quite valid and good option. Just get the browser to generate two random passwords, save them in the browser in your account. And the likelihood that your account would get compromised there is still relatively small compared to the fact that someone's just going to get your Google password and try it to every single service you ever used.
And of course, the best practice to use is two factor authentication. Let's hope our banks will still catch up with this and we will be able to use it in 21st century because they seem to be utterly slow. And two factor authentication is this tool, which allows you to scan the QR code and then it will generate every minute random string, random password, usually six digit number, which you need to input to log in into service in an exchange, usually not in wallet, but some wallets have it as well. And it is great security feature because suddenly having your email password is not enough to log into the exchange to get to your funds. Suddenly the hacker would actually need somehow to get access to your phone, which is quite difficult. It's not so easy to actually. hack to someone's phone, especially if you don't know who the person is, where they live or anything.
So two factor authentication is great security feature, and I would recommend everybody to use it, especially you don't have to use it everywhere, especially with services which are somehow critical to your money or to your privacy or to your data.
[00:44:04] Offline backup and recovery
Zed: Offline backup and recovery. This is kind of quite important topic especially when we're dealing with cryptocurrencies and Bitcoin, because your backup is basically what holds you, what protects your keys from both yourself losing it and from unauthorized person coming in and stealing it from you and getting access to your funds.
So biggest lesson is that your seed is very critical and should never be put anywhere online. It should only be stored offline. So when your wallet is giving you your seat phrase, when you are initialing it, you really should not like take a picture of it with your smartphone or put it in your Google Drive. Just recently we had this case again when the guy who was in Bitcoin space for 10 years. Use his key pass as well, but then back it up to his Google drive and the encryption of that key pass was weak enough that it was possible to brute force it and someone just stole them 25 Bitcoins because they were able to access it and this seed should not be in a key pass in the first place.
So the seed really just started offline. Even if it's a piece of paper and it's difficult, you can potentially get one of these devices, which is down here on the picture, they are called Steel Seed Solutions, and there is multiple vendors creating them and you can see that if you have the steel plate where you input your seed, it is not so easy to get it destroyed. It is not so easy to lose it or throw it to the bin as a piece of paper, which your wife finds when she's cleaning your drawers, you know, so when you have more money in it, I think this steel plates are quite good and just keep it offline. Never put it anywhere online. Don't take pictures of it.
And also you have to think about the fact that when you actually lose the seed, it doesn't just mean that you should go and generate new one. Just go to your wallet and do show me my seed and write it down again. Because the lost seed means that now you don't know where it is. Which means maybe someone took it and maybe someone has it. And that means maybe my money can disappear at any moment. So when you actually lose the paper with the seed, you should just go to your emergency procedure. My wallet was compromised, move all the funds out, recreate the wallet completely, delete the old one. Create new seed and then move the money back when you know, okay, now I have full control. I have my device and I have my seed here. There is no other copy.
Next thing is that people should test this recovery process on your wallet. The last thing you want to have is the anxiety that you don't actually know whether this recovery works. You get to this new technology, you load your wallet, you are all ready to move funds in, but you're like, Wallet actually work when I need to recover it. You don't want to be there, so just test it, send a little bit of money, delete the wallet use the recovery function and recover it and see if the money are there. I can assure you that when you do this, you will sleep better at night when you have more money in it, and it goes with all the different, devices, when you move to new wallet, test it, when you move to your multi signature setup for the family, test it first, you know, it really is worth a little bit of extra time to make sure that you've done everything well.
So having a seat stored in different location to hardware wallet, that is good practice because if your house catches on fire or gets flooded or something you don't want to have both of these private keys in the same place. You want to make sure that one is always somewhere else, and you are protected from this type of a disaster. And so there is also disaster mitigation strategy. That's kind of the same thing, too. To think about it a little bit, we, we don't like to think if our house goes in fire, of course not, but it is nice thing to know that if it would happen, maybe your savings, which are stored in your digital assets will be fine. So I have some strategy for it. And then one more time to just mention, if anybody get access to your seed, they have access to all funds, except if you have passphrase. If they got a seed and they wouldn't have the passphrase, this separate vault is still safe, but you just have to treat it really carefully.
[00:48:44] Phishing and malware prevention
Zed: And then a little bit about phishing and malware prevention. There is a lot of possible attack vectors which could happen to you, but I think phishing is so prevalent and it happens so often that that is certainly good to mention because phishing scams are just wild. Every time I open my emails, there is going to be one or two tries. And if you are in a space of Bitcoin and digital assets, this happens even more because eventually your email will get leaked somewhere. One of the exchanges is going to go to liquidation. They will have to disclose all the customers and your email and your name will become public database. And that's going to get people interested and soon after you will start receiving phishing email.
This one down here from LocalBitcoins, that's kind of a little bit how it looks like. How I like to think about it is this first thing I've wrote up here, and that is that phishing scams are exploiting greed or sense of urgency to bypass reason and judgment of individuals. This is really case in like 90 percent the email will try to play on your sense of urgency. You have to do something fast because your wallet's going to get locked and you lose your coins or the great deal of airdrop will expire or you need to do emergency upgrade, that is one thing, and the other thing is greed, of course, the greed is easily exploitable, it is like, there is this great option you can get your money multiplied, or send little bit money here, we send you more, there is plenty of this, and I mean, we laugh at it, but it just happens that people, people get scammed over it.
The one of these emails is going to be a little bit targeted to you or a little bit play on your weak moment when you actually are stressed by something else. You know, it doesn't have to be this and your judgment is already a little bit impaired. So, the thing is your email should be just taken as a dangerous place. This is the point of entry of hackers and scammers, and you should be careful about the emails you receive. Never click any of these buttons here. if you are doubtful, whether this is real or not, just go to, for example, here, I would go to localbitcoins. com and try to see whether they say anything about this emergency upgrade, or if I would still be in doubt, I would contact one of the support teams. I wouldn't certainly go through their link here. You just go to the official website and read, read whether this is real or not.
And when it comes to malware, malware gets to your computer usually through infected files. So that depends what you do on your computer. If you only download and execute files from known providers and known companies, and you don't use your computer maybe that much, I guess there's not such a big chance that malware would be there, but you never know, especially if you share a computer with your kids and they play games and they download correct software and you don't know what, maybe that would be the computer where you wouldn't really want to access your savings and things like that. So depending on how much money you have there, I think it is good option maybe later in the digital, digital world, when you feel like your net worth and your savings are quite high, just get one small laptop, which will not cost that much money. Ideally with Linux operating system and just use this laptop for dealing with your digital assets and nothing else. Don't install different software on it. Just have your wallets on it, connect to the internet. And to have it as your secure environment, as your bank, basically, this is what, what we do when we are self custodian. We are our own banks and yes, that's the section done. If you have any questions regarding this, go on.
[00:53:01] Self-custody for Business
Zed: Let's go to the business one. So why would business want to self custody? I think improved control over treasury assets. That's the quite one everybody thinks about. It goes same as individual. You basically have freedom over money or business have. Freedom over how you want to spend it, you have good control over who actually will have access to this treasury by creating this multi signature setup.
For example, you can say that if three of five directors will sign the transaction, they can move the funds. So then you also know who signed, because when the multisig transaction gets signed, you see which keys were used. So that is quite good for many businesses. Reduced reliance on third party companies. You don't have to really have downtime when your bank is in holidays or when there is weekends. You don't have to wait for exchanges to open, it's quite convenient to have full access to your money all the time and be able to use them anytime you need. And also you don't have to be afraid that if something happened to these third party companies, maybe your business would get disrupted by having a downtime.
There can be a bit of cost saving, because if you hire third party company to custody your assets, not talking of banks now, but if you would have third party company to custody your digital assets, they will probably cost you would quite a decent chunk of money, depending on what is your business site and size and what they actually have to do for you, how much transactions you are doing, and how difficult is your scheme in terms of key management and security and such.
And enhanced transparency and security. Security can be enhanced quite massively if you know what you are doing and if you apply. All the best practices correctly, this multi signature setup is really good and you know that your money are safe and transparency of blockchain is something probably a lot of companies will not feel so happy about, but some will do, I mean, if you want to show how much you own of your digital assets. You don't need to have third party auditing company to actually be doing monthly reports on your money. You can just point out to wallets, which you are controlling and people can see it on public blockchain. So for example, as well, if you are a company getting donations or raising funds, this is a great way how you can just easily share this information and everybody knows that this is the truth. This is not a report which could be kind of managed wrongly or, have some issues. This is just a blockchain, which doesn't lie and all the assets, which you see there are there
and best practices for business. I think every business, probably, unless it is blockchain business or Bitcoin business with years of experience needs some professional help, especially in beginning with the setup, it is not very straightforward or easy to do correctly multi signature setup, and especially with the company, it will probably add some complexity in, there may be different layers of people who needs different access, they will need different keys. And in order to do this correctly, you probably want to contact companies like Unchained Capital or Casa. which will help you with the setup. And this can range from something like only to do your initial setup and do you some advice, advice on how to do it properly to go to the extent of like having collaborative or federated custody with these companies.
So what that means is that they would basically hold certain amount of your keys for you in case of emergency. So maybe if you have this. Five directors and you wanted to have three signing devices for them, maybe then it can be like seven out of five and the other company would hold two keys. So they wouldn't be able to send or spend funds, but if one or two of your directors would disappear or lose their access, they could still offer you these two keys as a backup to be able to access the funds. So this is very flexible. This was just like quick example, but you can set it up in any way you want. And this collaborative federated custody is probably a good option early in the game when you want to feel comfortable that you actually know that someone is backing you up, but you want to go in this route to self custody. So maybe this could be your initial setup and then later when you learn a bit more, you will feel comfortable. You'll be like, okay, I can get all my keys and take care of them on our own.
Implementing clear internal controls and access protocols. I guess this goes for every company. This is not unique to to self custodying your own keys, but you will just need to have this a little bit more correct and keep in mind that this key management needs to be part of your, of your setup and of your protocols.
Regular security audits and penetrating testing, penetration testing. This also should be for every company, but I guess a lot of companies are trying to save money on this aspect. Because security and audits of your networks is not something you really need to take care of until you have an incident and then it's usually a little bit too late. So especially if you are actually holding your digital assets, your money are in your networks. This is something you probably don't want to save money on. And this is something you want to keep up to the notch
And then maintaining detailed documentation and recovery procedures. This is again, the basic, basic company structure and how they should operate, but with the digital assets, you just need to add this extra sections to know that it's well documented. And if you change employees, everybody will know what to do. And especially in when some emergency happens, you want to make sure that you can quickly assess whether your assets were compromised or whether you have full control over the keys and procedures regarding this can really save you money and time.
[01:00:01] Challenges unique to business
Zed: Then a little bit of challenges unique to business. The biggest one is probably this fear of having too much assets under your control, your direct control, the fear of responsibility. This goes a bit higher than for individual who is starting and having a little bit of money in their wallet and slowly learning the way. Now, as a company, you can actually have quite substantial amount of assets under your control. So I guess until you. feel comfortable with what you are doing, this can be quite daunting. Implementing robust internal security protocols and employee training. Employees will need to get some extra training. This is something very new, which. Probably the directors would have, will have hard time to understand. And then if there are people who needs to deal with the digital assets or with self custody or with multisig more often on a daily basis, they will need to understand what the hell does it mean and what we should do.
So the company will have to invest a little bit more in employee training. And security protocols also needs to be a little bit more thought through because you just. You have your money on your networks.
And then lastly, navigating regulatory compliance. I guess this is also a big one. Here in New Zealand it feels like that lawmakers and regulators are not so bad in terms of digital currencies. They actually have decent guidelines and looks like they understand reasonably well this landscape and this industry, but it's still doesn't mean that this cannot change very quickly, like in terms of laws or regulations or tax implication. This is still very, very much evolving. And if you are a business and you are dealing with digital assets, you probably need to keep a little bit more on top of what's going on in the regulatory landscape.
You don't want to get caught and get into some troubles just because. If you were not following the latest news, so there was a bit shorter regarding business. I don't know if you have any questions.
Kevin: Maybe one. I mean, it's interesting that we talk about kind of the documenting the procedures and those sorts of things. I look back at I think there's a, is it a Canadian I think it's Tahini's, the guys, the restaurant, launch of Bitcoin and treasury. And I look at how they probably, I mean, they're not technical people, well, sorry, their staff won't be technical people and things like that. So documenting things and doing those sorts of things are probably going to be quite challenging for a restaurant. What's your advice for kind of, you know, non technical businesses where they probably don't have a lot of, well, they don't have any tech documentation. Would it be to, to sort of stick with a Casa or unchained? Or, you know, what's, what's sort of your suggestion there?
Zed: You, you mean for holding the assets or for creating the procedures and getting like, business more on top of both? Yeah,
Kevin: because I guess it's quite, I mean, it's quite technical. Some of this, so I guess all of that. Do they kind of, if you're a restaurant and you're looking to put Bitcoin into treasury, for example, what would your advice be in that instance?
Zed: Yeah, I guess probably depending on how much money they are planning to put in it the kind of wallet setup they want to do. It could even be just the normal cold storage, but depending if they want more, if there is a lot of money, then they probably want multi sig and if they want multi sig, then they would need to know how to implement it properly, which would most likely require someone like Unchained Capital or Casa to giving them advice. I mean, it would be great when we have in New Zealand develop in the industry a little bit more and we will actually have people here in New Zealand being able to do this, you know, because it feels a little bit awkward to like be contacting people in the United States and asking them how to do your wallet set up and such.
So hopefully we will grow our knowledge base and our community here that soon we will have someone offering the services in New Zealand, but for time being, I guess this is, this is your option because if you don't know who to ask here for this help, then you would contact Casa or Unchained Capital and even just get the initial setup and initial consultation would be a good way.
[01:04:38] Inheritance Planning
Zed: And this last topic about inheritance, that's just a short one for our closing. So self custody extends beyond your own life. As I said previously, if you, if you have your wallet set up and your keys stored and everything is go, your assets are growing in value, that's perfect. But the externalities like accident you can have is something you cannot really predict, and we are not very well equipped in dealing with this, especially we tend to feel like we will live forever and things like that.
It is good to actually. At this good lesson, maybe the Bitcoin and digital assets give you that you may not live forever, and now you have here something which you would like to make sure can be passed to your family in case of accident. It is very big topic, to be honest. We could talk about it probably another hour easily. It's just really extends to many different levels because now we are no longer talking just about the wallets and blockchains, but you have to get a law and the regulations and other people involved in how this should be done. But I think the very basic is that you should make sure that someone in your family knows that you have some digital assets, you hold them, and this is something that should be recovered in case of your accident.
So that would be a good start if you have a person in the family who is a little bit technical, even better if you're a person in a family who understands Bitcoin, that is a great, but it may not be the case for a lot of us, but you should know someone, you should let someone know that you have this assets and then you need to start working on your strategy, like same as it was with the asset value of your wallet.
If you hold 50, maybe you don't need inheritance plan for how your family is going to make it, get it, but maybe if you have 500, with the way how these assets grow in value, maybe already 500 could be something you should, you could think about. Who knows how valuable it could be in 20 30 years. So. When you feel like there are, there is enough of money that could actually really mean or change the life of your relatives this is probably the time when you need to start thinking about your crypto inheritance strategy and build it small, start a little bit, start with thinking how your seed could potentially maybe tell your wife that you have the seed and she shouldn't throw it away.
And this is something she may need in case you have an accident. And as this, as your money grow in your holdings, just learn a bit more about it. Maybe finding a legal advice. I mean, it's not something I did, and I'm not sure if there is too many people in the legal industry who could actually really give you good advice about inheritance asset, but that would probably be the place where you could go if you don't know anyone else. But I quite like this book I put picture of here in the site, Crypto asset Inheritance Planning by Pamela Morgan. There isn't too many books written on this topic, but she actually did a very good job. It's not a big book, but it describes very well. The different landscape inheritance is opposed to just wallets and our blockchain and such.
And she gives a ton of good advice and recommendations, how you can start building your own inheritance plan and such. So. I would recommend everybody who is thinking that this may be something you want to do to get a book, read it up. It's better to do this better than later, and it's good to kind of, same as your wallet journey is getting you into securing your assets a bit more, go and explore this inheritance journey and make sure that if you actually put all this effort to storing them and having them and working for your Bitcoin holdings, that someone can benefit in case you have accident or something.
Zed: And so I have here a little bit of conclusion for the end so I think myself, the self custody is really a great way how you can hold your assets. I also want to mention, it is not just about, it is also quite philosophical, because this is basically one of the underlying principles on which Bitcoin was created. This is the underlying principles why we have cryptocurrencies. At all was the fact that you actually want and can have full control over your assets, that they are unconfiscatable and no one can block your transactions and tell you what you can or cannot do. It was such a breakthrough for me to be finally first time in my life, able to send money to my friends in Africa. You know, and I didn't need to ask for permissions of bank and such, and this all come to self custody and really having the control of your money. So I think it is the great thing, and I think people should go in this direction. But it also comes with the fact that You need to learn, it does need some investment of time to be implemented correctly, or it needs help from person who can tell you how you should do this.
So as much as I like it, I also kind of understand that it is not for everybody. There will be a lot of people who will use custodial services, who will be afraid to take responsibility, who maybe got better service or user experience from custodial services, and that is completely fine. I mean, if it is good, if people understand their options, it is good that they understand the differences. And also, this is why we are here today to understand a little bit, what are the trade offs and then make a decision for whatever suits you best. And hopefully it's going to be a good decision.
There's a couple of, couple of links and resources. I didn't actually mention this Unchained Capital Business Solution. This is one of the companies, I guess Casa will also have a similar article. You can read a little bit more. If you are a business, what do they actually offer and what is the way they assess businesses and what they can do for you?
It's a good place to start to even get the discussion going, what actually business needs in order to implement self custody correctly. Then this second wallet scrutiny is the project of my friend, Leo, who is collecting data on a lot of wallets and doing analysis on basically, is this wallet open source? Is it closed source? Is the code that they actually have in their GitHub the same, which compiles the wallet and he ranks, the different wallets. So it's a huge database of many. Bitcoin and crypto wallets, where you can just have a look at what he thinks about them. I think it's a very good resource for new people.
And this last link is for Jameson Lopp and his Bitcoin custodian security talk. It's a couple of years old, but he did a very good job. It is a little bit more technical than what we were talking today. So for people who want to go and dig a bit deeper into wallets and key management and other topics, this is a very nice resource as well.
And that is a little bit to get contact for me. I'm very happy to help with anything Bitcoin related and wallet related.
[01:12:12] Wellington Bitcoin meetups
Zed: Also, I run this monthly Bitcoin meetup here in Wellington, and I'm very happy for anybody to come and talk with us. It's been quite quiet during this bear market. So if you feel free to come in join us. And yeah, if you have any more questions, send me email. I'm always happy to discuss these things with anybody.
Kevin: Awesome. Thank you for that, Zed. And am I right? The next one's about your next meetup is about the ETFs. Is that right?
Zed: Yes, this was, ETFs were just approved. So in this next meetup, we will talk a bit more about what does it mean? Is it good or bad for Bitcoin? And how is now the landscape going to change of all Bitcoin and digital currency space?
Kevin: Very good. Well, thank you very much. And yeah, as I mentioned, we're recording this, so this will go live onto the onto the knowledge hub so that people can access this as well, and we'll transcribe it. But yeah, thank you. Really appreciate your time. And yeah, those are, those are Zed's contact details there if you want to get hold of him.
Zed: Thank you for having me.
Kevin: I really appreciate the time and the effort. So yeah, I look forward to catching up at the next Big Kiwi and or Bitcoin Wellington catch up.
Zed: Yes. Thanks everyone. Have a good day. Cool.
Kevin: thanks, Zed. Cheers.